What is an XML bomb and how do I protect my Web service against it?
Requires Free Membership to View
When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.
Hannah Smalltree, Editorial Director
An XML bomb is a dangerous XML message that can be crafted by a malicious user. It could be sent by a service consumer (a client) as a request message to a Web service provider (a server) in order to cause a denial-of-service DoS attack. An XML bomb exploits Document Type Definition (DTD) processing functionality in XML parsers -- the software that parses an XML message -- by causing them to process an exponentially growing amount of data. A DoS attack could certainly be mounted by sending a message that is large in size to the service if the service is not configured to reject such messages. However, an XML bomb is actually a small XML message that is created in a way that makes the XML content grow only as it gets processed by the XML parser. Here is an example of an XML bomb:
To protect against such attacks, be sure to either use known commercial or open-source SOAP stacks that disallows DTDs, such as Apache Axis, or that ship as part of application server frameworks, such as .NET, WebLogic, WebSphere, etc. You can also disable DTD parsing in your XML parser. Certainly, adopting standards-based packages is often more secure than implementing things on your own.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE SOAP-ENV:Envelope [ <!ELEMENT SOAP-ENV:Envelope ANY> <!ATTLIST SOAP-ENV:Envelope entityReference CDATA #IMPLIED> <!ENTITY x0 "foo"> <!ENTITY x1 "&x0;&x0;" > <!ENTITY x2 "&x1;&x1;" > ... <!ENTITY x98 "&x97;&x97;" > <!ENTITY x99 "&x98;&x98;" > ] > <SOAP:Envelope entityReference="&x99;" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Body> <keyword xmlns="urn:parasoft:ws:store">foo</keyword> </SOAP:Body> </SOAP:Envelope>When a Web service receives such a message, and if the XML parser has DTD processing enabled, then it will cause the server to expand the entity reference x99;. This reference is defined in the DTD section which comes with the message (highlighted in red) to be equal to &x98; repeated twice, which is in turn defined as &x97; repeated twice and so on all the way to x0. In other words:
x0 = "foo"
x1 = "foofoo"
x2 = "foofoofoofoo"
…
x99 = "foofoofoofoofoo…foo" or "foo" repeated
299 = 633825300114114700748351602688
As the service expands the value of x, the size of the string containing the concatenated words "foo" reaches exponential levels, which causes it to quickly consume the server memory that is allocated to the application. Such exhaustion of the server resources causes a DoS, as other legitimate requests would not be processed while the server is busy concatenating useless "foo" strings. To protect against such attacks, be sure to either use known commercial or open-source SOAP stacks that disallows DTDs, such as Apache Axis, or that ship as part of application server frameworks, such as .NET, WebLogic, WebSphere, etc. You can also disable DTD parsing in your XML parser. Certainly, adopting standards-based packages is often more secure than implementing things on your own.
This was first published in February 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation